Archon Prime
Well-Known Member
- Reaction score
- 1,231
- Location
- Canada
Just to start off. I hate windows event logs with a passion.
I had one of my managed devices go offline last night at 4:47pm EST. It was the only one out of 5 units on site that did that. Turns out, when the end-user got on this morning it was completely shut down. They didn't shut it down. So I decided to take a look at the system and security logs for that time index. A few things popped up with red flags. Googleing this stuff it was a little iffy on what the concern was. RMM policies are set to reboot computers when needed at 3AM EST for all desktop machines, so Datto didn't do anything at this time. If anyone has a knack for this stuff, would be great to understand if this is something to worry about. Otherwise, all my information as to why the computer was shutdown with nothing prior to initiating this, is concerning.
These are some of the logs at the specified time prior to shutdown (I'm taking these with a grain of salt, like the time change log, but the Possible detection of CVE is concering):
Currently running Microsoft vulnerability scanner (already ran full scan with Emsisosft)
I had one of my managed devices go offline last night at 4:47pm EST. It was the only one out of 5 units on site that did that. Turns out, when the end-user got on this morning it was completely shut down. They didn't shut it down. So I decided to take a look at the system and security logs for that time index. A few things popped up with red flags. Googleing this stuff it was a little iffy on what the concern was. RMM policies are set to reboot computers when needed at 3AM EST for all desktop machines, so Datto didn't do anything at this time. If anyone has a knack for this stuff, would be great to understand if this is something to worry about. Otherwise, all my information as to why the computer was shutdown with nothing prior to initiating this, is concerning.
These are some of the logs at the specified time prior to shutdown (I'm taking these with a grain of salt, like the time change log, but the Possible detection of CVE is concering):
---------------------------
2021-09-28 4:46:58PM:
Source: User32
The process C:\Windows\System32\RuntimeBroker.exe (PC1) has initiated the power off of computer PC1 on behalf of user PC1\accucare for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: power off
Comment:
-----------------------------------------------------------------------------------
Possible detection of CVE: 2021-09-28T20:47:05.6287516Z
Additional Information: 2021-09-28T20:47:05.6215840Z
This Event is generated when an attempt to exploit a known vulnerability (2021-09-28T20:47:05.6287516Z) is detected.
This Event is raised by a User mode process.
------------------------------------------------------------------------------------
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Process Information:
Process ID: 0x10d0
Name: C:\Windows\System32\svchost.exe
Previous Time: 2021-09-28T20:47:05.6215840Z
New Time: 2021-09-28T20:47:05.6287516Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
-----------------------------------------------------------------------------------
2021-09-28 4:46:58PM:
Source: User32
The process C:\Windows\System32\RuntimeBroker.exe (PC1) has initiated the power off of computer PC1 on behalf of user PC1\accucare for the following reason: Other (Unplanned)
Reason Code: 0x0
Shutdown Type: power off
Comment:
-----------------------------------------------------------------------------------
Possible detection of CVE: 2021-09-28T20:47:05.6287516Z
Additional Information: 2021-09-28T20:47:05.6215840Z
This Event is generated when an attempt to exploit a known vulnerability (2021-09-28T20:47:05.6287516Z) is detected.
This Event is raised by a User mode process.
------------------------------------------------------------------------------------
The system time was changed.
Subject:
Security ID: S-1-5-19
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Process Information:
Process ID: 0x10d0
Name: C:\Windows\System32\svchost.exe
Previous Time: 2021-09-28T20:47:05.6215840Z
New Time: 2021-09-28T20:47:05.6287516Z
This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.
-----------------------------------------------------------------------------------
Currently running Microsoft vulnerability scanner (already ran full scan with Emsisosft)
